← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer
WHITE AlienVault 2017-12-20 Modified: 2017-12-20
209
IOCs
HIGH VOLUME
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent campaign that used the same vulnerability to install a “cracked” version of the information-stealing Loki.
Lokimalwareofficehtatrendmicro
Indicators of Compromise (209)
All FileHash-SHA256 URL CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 0026b14f896934c621eccca48474353fff08f592ebc2949dde4b881f2353e3d2 2017-12-20
FileHash-SHA256 00d1ed4049db2cd84b735813beaf785a3770f9e72bfe3684b5cea1ecf1b4be98 2017-12-20
FileHash-SHA256 03ad225eae702b381e4ebfb4025464d36d582c3fe2289369fac6c8339e69bfbc 2017-12-20
FileHash-SHA256 0a6dffa7e3fe94bef9865778816468cd9e6ca3065b592d93e33b3d9dc733a992 2017-12-20
FileHash-SHA256 0e2385518be5d5ab4a3b55240debf15a34a184ca912ac598f009b34ad9f6902e 2017-12-20
FileHash-SHA256 0eb633fae5cfd0ef55217e24cda47d75168c9af19c2e8077376a6dcb8b5a4b55 2017-12-20
FileHash-SHA256 12979add67c70fa4d82fba7bd24632dc8dad2957c8b0d272a3644267bb32433d 2017-12-20
FileHash-SHA256 14ce9d17a63f2e4abd6f7c51e3a6c76e6ece24455dcdcf905dfd4df09b5fb74d 2017-12-20
FileHash-SHA256 161953f59fe452c87461e0eaf4f292779ef190cc75ba46b3559bb628aaed3b00 2017-12-20
FileHash-SHA256 1725a4902ac7f0727d68d6b745721a4ac1e56d7fcb221097bf9b2d2195237178 2017-12-20
FileHash-SHA256 1a53a0f445aca7b6b3aa6b87c4e08f2e649f47aab68c6aa0fc69aedd7f100bb4 2017-12-20
FileHash-SHA256 1bc9381f0e81f37f33513148867f918c937c78d4df3087039858fb8d058e7fc1 2017-12-20
FileHash-SHA256 220de568269d96b8eff47544567c07f255e50b88acc8dc653602ded575d93805 2017-12-20
FileHash-SHA256 26af5209c0536daa6ca3b190cc37f1fa85eb7362f57dbcf34594bdb616da8b33 2017-12-20
FileHash-SHA256 27826bd0951e02bbe17b86560808b876e90805ace44f3d664eea41d96441ab4a 2017-12-20
FileHash-SHA256 28f129fd0c9d02be750dbcc7a6730d699223150af070917d55a284a9ab88952f 2017-12-20
FileHash-SHA256 2a8f8218bef8755edcb9b6c1f1c30d678645f6e1d7fa967311b027678516fe43 2017-12-20
FileHash-SHA256 2bf5cfe7a5b6a81c4cfb5c45c1616f78bb36adfe89a6cfe21fe81f6f95220a2b 2017-12-20
FileHash-SHA256 30854636603f3a8b1b7f8426eaa2ff4afdb06281f0207f1b2c5dbb981679bb4b 2017-12-20
FileHash-SHA256 326c05270666f33c76d0405ea5fec943c4cea64c5acb5cd0a72f0d3c29f67c0f 2017-12-20
FileHash-SHA256 35dbdc8374c26cc26e078bd1bd2f51c1651291c2ad1dfcb4b90f9d4da1530917 2017-12-20
FileHash-SHA256 369638e06c737bce87c6eaa4f3fd6f5402af4d3aca2ace897f893714b59afb85 2017-12-20
FileHash-SHA256 3b54d1a177ea34a7c581ea1a3c7b1a2f4b14dd1fbb07d141f1544a4105588cba 2017-12-20
FileHash-SHA256 3dfb11c5ee8c8f8f8021abde03ab64a3d03fdc1d7529bf81666361aaf6b2c9d7 2017-12-20
FileHash-SHA256 404cab99464058f0722bc3238b209755963b232e5a81d8748ad6ee0de82ca35c 2017-12-20
FileHash-SHA256 40b09df4e47bb14e19be9e2162bfd912b81df38c54922f3ca64e007a9778e2a2 2017-12-20
FileHash-SHA256 467c63a8b829902b3b7321b1bfd603a70614473db58c468c5f5d40982913d610 2017-12-20
FileHash-SHA256 48b5e024d397299626ae8cb48ccb566012a004cb3c0d182a382f51d466020e7f 2017-12-20
FileHash-SHA256 4caa711f7c98f5fa3bc88e98699378e7e6082a7baf8aba596d3f5882497813fc 2017-12-20
FileHash-SHA256 4ff414a855b23a7a11a60aa1da89140aa70947371b0daaeb7baa7a70cc07d485 2017-12-20
FileHash-SHA256 50c5f427900dbda55661b57b30b6aaa66b458a9f34e50be0f9c5683a27873103 2017-12-20
FileHash-SHA256 564ddae99617959c1f7a8f82e06d93d189ab075ab5ccc98841f452f4673e508d 2017-12-20
FileHash-SHA256 571bd8985f9297ea39f688ffbbaa14a765e89a0db8bcc161b05c5046fa921aa0 2017-12-20
FileHash-SHA256 5995a599feb35b4dbdea133cc3b9121c37f78a8011f06250c64322307c960969 2017-12-20
FileHash-SHA256 5bd97158059a46026770efc687b238cf0baf41880e01f125f55ae54b6f501984 2017-12-20
FileHash-SHA256 5d656d7182517d0e09f1fc7544457bfefdddbc317de15fdfb4850886b695f6d7 2017-12-20
FileHash-SHA256 6018149449143aa2eb1a0248a9535c796fe9d319e96bdbb83a7c8abf0c145e2c 2017-12-20
FileHash-SHA256 6351fd8c3a125dd0c2060540961477e56efb5c5fb8fad930c2929aaa666dd9a2 2017-12-20
FileHash-SHA256 69bde8f8a0f2a23956eb9c0fa8782dc1e89f534eb8e01e0c8e193e07e72ac76c 2017-12-20
FileHash-SHA256 6c4ab8732d25510684839a466506f89c7aef133abf91f2ab30c12c94dd42c05a 2017-12-20
FileHash-SHA256 6ef6a9255f7448e0c37a51f19b9f97757b89b1fd6eebd63cedc2eeab9739cdcc 2017-12-20
FileHash-SHA256 71213c664ce0f013cd581a0e943945b1246f81bef43d606e312a961e5901601a 2017-12-20
FileHash-SHA256 7744f7b3c707e4b5d1f8e0f5e4f1db3398194857af50798ac13c7f3c55ce8f9d 2017-12-20
FileHash-SHA256 7cbc9bd3f2234872aeec5a2017790e98a227fcf7864156ab17f7421e17c3c7a9 2017-12-20
FileHash-SHA256 7f638f6206be06396d60b883572c43f606e99ea9f437f17fd5c9c1e190367357 2017-12-20
FileHash-SHA256 8442611940c325a5e7d9f58b7a8fa333b4f0ef3fade263cc742ec135844c91b7 2017-12-20
FileHash-SHA256 850e7a49e9d50a5195967b0cf68779b928030615b24161d86bcd8f4e63689785 2017-12-20
FileHash-SHA256 8559aa90340a97631b039ad3cb9e0498a5d78b87e3d71d3a6728c46a6d50edc3 2017-12-20
FileHash-SHA256 8a42b676f5998f2c9c155a018ad788ec6e603ddfa900c70e413af094584d5679 2017-12-20
FileHash-SHA256 9006b9665fba06783fe32870fc0dfd9ba502e6cced5c7352d24d438ed83f2462 2017-12-20
FileHash-SHA256 92f1219f1dd31f00412579b846e77b61f1a6e3e1f039e7f08409985930b9143b 2017-12-20
FileHash-SHA256 93dca3fc78bc266452402d83e184980b11e81e1e05b86d2b5abfbfe95504da39 2017-12-20
FileHash-SHA256 95ac59daf9cd7c69b35474188522286e2f6f2b23e94ad70aab744dd7f2dccaf6 2017-12-20
FileHash-SHA256 97894235124b1b4027278dd80f152bd9c977f31ffcb9f6c3cfe4bbb7847e7407 2017-12-20
FileHash-SHA256 97cc28b6c03d62c0f768b7bce7ebf2e1ca0d12ae831f904ce3028a47ebea7d36 2017-12-20
FileHash-SHA256 9b69ffa0990d178d087d83b9f9e393d0b96b8c6c2da2f58996c1889730c8f765 2017-12-20
FileHash-SHA256 9cdbdc5b917a4e8be41b8ec3fee3a59d2aafd5303857f43a61cd36bcae874cd7 2017-12-20
FileHash-SHA256 9d6ce921878e549e8a09826cb1c1b7944280c1b606f9fb1e9b4454916a5d0c26 2017-12-20
FileHash-SHA256 a1856e1cd568458e74011e7cbc7ca7db16d9dfe6f9d2d59490c810436a34dd8c 2017-12-20
FileHash-SHA256 a2cc58eee7021d61c189701c3b2b93d035647d439a86394a00ed2f473dd92601 2017-12-20
FileHash-SHA256 a43f62ea3b268b5704b0415f110620f695590e073ede02afaa56e5b7a0505eba 2017-12-20
FileHash-SHA256 a440df4c2569bfa68a00b74815c8062b6da63791c4fb99d59a75cbc92b2f486b 2017-12-20
FileHash-SHA256 a6814014b4390e2498bf7ec23c34c1fdb6ed06490ef23320232591ff5d0b1354 2017-12-20
FileHash-SHA256 a921bbde5773619d7748ffd286853739748e78a287647e943507e2745b62db55 2017-12-20
FileHash-SHA256 a99aa73acc1944d0242fbf88089206b8bd44c7b37965bc459a20ceb81dade50d 2017-12-20
FileHash-SHA256 ab6e1b20e7bddc16df72b7a6fd7ec0ef003cfb2944acc5f4f889913994ed49b0 2017-12-20
FileHash-SHA256 ac87b9ba5619fbf64a0cae490e268f0cf41e2da113cbda1a3b72d2dd6a3274c5 2017-12-20
FileHash-SHA256 add2fa2c8f4065c393405885f0fc553e866ce4ad699a3f90b3707a04bb5df7f3 2017-12-20
FileHash-SHA256 b1336bed53a86c24385ee478f1cdbffad6430dc31bdc72bfcd64f420911de4cf 2017-12-20
FileHash-SHA256 b4494cd7f55e105b6010d969968d8034dc83fbcfe773ef83c70f2311848c10a1 2017-12-20
FileHash-SHA256 bb16e622533031379c44eaa58cb1b7ffa3a983e2662dc3ad769f4415305c76a0 2017-12-20
FileHash-SHA256 bd69f0e6f0aa10b9dcf70382709a1956e6a50e7be3e709d9bb2b1753405e6e03 2017-12-20
FileHash-SHA256 c1437395619147693b12be9f5d0f95e39d10862c641d8e94d7e169d6f44f81ef 2017-12-20
FileHash-SHA256 c41de290657158d61f50ad32ae802eff77c70e491fcaeae5bffeb0b1c964f334 2017-12-20
FileHash-SHA256 c528934b17a1577d3be5d7feb74ca69a0f39a35bac1414b529efc21c915332f9 2017-12-20
FileHash-SHA256 ca612b0f95c6da850ac84c13f90a3094688ece98261695f0c0a1cf481cc3f68f 2017-12-20
FileHash-SHA256 cda5f709a738fa29e53e918e3573289c201f84d1472adcade624dad65343d8d9 2017-12-20
FileHash-SHA256 d0a69965781b3c4c53c62e2ee74fc73a672da7efe571404bea249371534ad090 2017-12-20
FileHash-SHA256 d61e36db60622a63b29733d9a6c8dc24f98e0e6d4e4e81a256904e22514bb0e6 2017-12-20
FileHash-SHA256 d7ae1c11678e54d25218a116694ca0db2b01033ee291da6a3471571007b5dcc3 2017-12-20
FileHash-SHA256 dd80431b9bd1dbd4f417d83b6b2859d760df0c292d02015b1abba6039faf13c9 2017-12-20
FileHash-SHA256 df50d7d75bceb1cd995e955700c8ca8a0ef6efec5e25dde28b303313eb54405d 2017-12-20
FileHash-SHA256 f3fd17f9d8fad1160a90d881f8b9e1fb159a03f3960d1902ead740f8d5879f45 2017-12-20
FileHash-SHA256 f5cc0b0ae5d2339c5ec6480669e745a443292d49f666f2bec8d7725f51d7765a 2017-12-20
FileHash-SHA256 f813cf02237da59747c8ee5947cc7a6cffbd6403e54734a3bf5fe4b6e98daa3c 2017-12-20
FileHash-SHA256 f961d8a4a9c168d553910bea89a4760d1ad06ec6ac3032d23872e0378aee512c 2017-12-20
FileHash-SHA256 ff18b96950d524bf9aa0f377588663afa4a36ec1cf23002c2a894d688012416f 2017-12-20
FileHash-SHA256 ff8c4b15e7a7836402e3c4b9b5edff3e89c92d239d3f034902bf730822bca604 2017-12-20
FileHash-SHA256 ffcd475da57f057ab63d3219f088007eae2a746a7a8b87ae24b4e0db7afb8d3f 2017-12-20
URL http://101.99.84.24/sms/52-1/fred.php 2017-12-20
URL http://108.61.196.228/five/fre.php 2017-12-20
URL http://109.235.70.223/lifetn/fre.php 2017-12-20
URL http://156.67.106.239/cronic/loki/fre.php 2017-12-20
URL http://156.67.106.239/hustle/loki/fre.php 2017-12-20
URL http://176.31.222.117/kros/fre.php 2017-12-20
URL http://185.141.26.69/~hastic/muller/fre.php 2017-12-20
URL http://185.165.29.182/alexben1/1/fred.php 2017-12-20
URL http://185.165.29.24/cgi-binn/five/fre.php 2017-12-20
URL http://185.207.207.20/slim/five/fre.php 2017-12-20
URL http://185.62.188.11/marieg/010/fred.php 2017-12-20
URL http://194.135.82.113/v1/fre.php 2017-12-20
URL http://195.181.245.196/v1/fre.php 2017-12-20
URL http://198.46.238.120/ochus/Panel/index/five/fre.php 2017-12-20
URL http://198.54.120.205/scroll/NW/fre.php 2017-12-20
URL http://216.170.123.111/price/five/fre.php 2017-12-20
URL http://247bags.website/bobokay/wp-content/Panel/five/fre.php 2017-12-20
URL http://80.208.226.44/v2/fre.php 2017-12-20
URL http://80.209.224.203/v2/fre.php 2017-12-20
URL http://94.23.148.41/fre.php 2017-12-20
URL http://accountsofsc.com/west/five/fre.php 2017-12-20
URL http://ajexceptapps.club/five/fre.php 2017-12-20
URL http://alhadin.nl/Earl2/five/fre.php 2017-12-20
URL http://amazoncc.ru/lokey/fre.php 2017-12-20
URL http://amberwater.com.my/plugins/panel/fre.php 2017-12-20
URL http://belarustravelsview.ml/voke/Panel/five/fre.php 2017-12-20
URL http://bitxz.online/five/fre.php 2017-12-20
URL http://btlworldwides.com/grim/zax/fre.php 2017-12-20
URL http://citricpule.xyz/jacku/jack.php 2017-12-20
URL http://clargee.us/jon/fre.php 2017-12-20
URL http://constructorasinmuros.com/css/images/admin/modules/five/fre.php 2017-12-20
URL http://ddbb.eu/five/fre.php 2017-12-20
URL http://egobiawa.com/Panel/five3/fre.php 2017-12-20
URL http://elalamia2000.xyz/chikarica/5/fre.php 2017-12-20
URL http://epco.nut.cc/ml/vrs/peta/2/lok/panel/fre.php 2017-12-20
URL http://etc.ashcarsales.co.za/fre.php 2017-12-20
URL http://eualube.com/throwan/bhoka.php 2017-12-20
URL http://fbcom.review/lo/five6/fre.php 2017-12-20
URL http://fourrese.net/colonel/Panel/five/fre.php 2017-12-20
URL http://gamesarena.gdn 2017-12-20
URL http://gamesarena.gdn/animationsetup1/animation1kc/fre.php 2017-12-20
URL http://gamesarena.gdn/animationsetup2/animation2kc/fre.php 2017-12-20
URL http://gamesarena.gdn/animationsetup3/animation3kc/fre.php 2017-12-20
URL http://gamesarena.gdn/animationsetup4/animation4kc/fre.php 2017-12-20
URL http://gamesarena.gdn/autoconfig/level3sp/fre.php 2017-12-20
URL http://gamesarena.gdn/configsettings/winning4cj/fre.php 2017-12-20
URL http://gamesarena.gdn/donjykes/fre.php 2017-12-20
URL http://gamesarena.gdn/settings/settingsdu/fre.php 2017-12-20
URL http://gamesarena.gdn/setup-bin/settingspascal/fre.php 2017-12-20
URL http://gamesarena.gdn/startsetup/startup5ed/fre.php 2017-12-20
URL http://gamestoredownload.download 2017-12-20
URL http://gamestoredownload.download/animationsetup1/animation1kc/fre.php 2017-12-20
URL http://gamestoredownload.download/animationsetup2/animation2kc/fre.php 2017-12-20
URL http://gamestoredownload.download/animationsetup3/animation3kc/fre.php 2017-12-20
URL http://gamestoredownload.download/animationsetup4/animation4kc/fre.php 2017-12-20
URL http://gamestoredownload.download/autoconfig/level3sp/fre.php 2017-12-20
URL http://gamestoredownload.download/configsettings/winning4cj/fre.php 2017-12-20
URL http://gamestoredownload.download/donjykes/fre.php 2017-12-20
URL http://gamestoredownload.download/flexysettings/settings4flexy/fre.php 2017-12-20
URL http://gamestoredownload.download/settingsdu/wp-contentsdu/fre.php 2017-12-20
URL http://gamestoredownload.download/startsetup/startup5ed/fre.php 2017-12-20
URL http://gamestoredownload.download/wp-contents/settingspa/fre.php 2017-12-20
URL http://gistsstack.com/panel/fre.php 2017-12-20
URL http://globalmekrim.com/love/fre.php 2017-12-20
URL http://gortyllc.website/images/Panel/five/fre.php 2017-12-20
URL http://henqipec.com/kentex/Panel/five/fre.php 2017-12-20
URL http://heyofnices.com/trice/five/fre.php 2017-12-20
URL http://icaropccint.club/sev7n/fre.php 2017-12-20
URL http://jahisable.com/baggins/Panel/five/fre.php 2017-12-20
URL http://jahisable.com/divver/Panel/five/fre.php 2017-12-20
URL http://justloki.info/marley/five/fre.php 2017-12-20
URL http://kingu.xyz/cool/Panel/five/fre.php 2017-12-20
URL http://knowkeren.xyz/adi/Panel/five/fre.php 2017-12-20
URL http://koprio.ml/atlantics/panel/fre.php 2017-12-20
URL http://krets.square7.ch/wrk/fre.php 2017-12-20
URL http://lokpanels.info/ext/donemy/fre.php 2017-12-20
URL http://loramyra.smrtp.ru/lok/five3/fre.php 2017-12-20
URL http://loramyra.smrtp.ru/lok/five9/fre.php 2017-12-20
URL http://luxloki.info/lux/five/fre.php 2017-12-20
URL http://mairi-g.com/Work0space/IK/fre.php 2017-12-20
URL http://maunowhg.com/wp-content/themes/twentytwelve/css/Panel/five/fre.php 2017-12-20
URL http://mobizwiz.xyz/rox/rox.php 2017-12-20
URL http://mulyadi.co.id/wp-content/uploads/2017/01//Panel/five/fre.php 2017-12-20
URL http://nelz.shiponka.com.de/panel/fre.php 2017-12-20
URL http://p-hub.net/cane/dony/fre.php 2017-12-20
URL http://palapala.square7.ch/job/fre.php 2017-12-20
URL http://pviewfile.ru/2695217/original/fre.php 2017-12-20
URL http://ramesa.com.au/pro/Panel/fre.php 2017-12-20
URL http://randomheadshots.tk/fre.php 2017-12-20
URL http://rbxl.services/smad/five/fre.php 2017-12-20
URL http://rythm.globalmekrim.com/love/five/fre.php 2017-12-20
URL http://shipboot.com/dev/wp-admin/images/Panel/five/fre.php 2017-12-20
URL http://subsindia.com/new2/fre.php 2017-12-20
URL http://toch.hgigardenpatio.com/Panel/five/fre.php 2017-12-20
URL http://tokimecltd.ru/test/five/fre.php 2017-12-20
URL http://topytop.xyz/ch/Panel/five/fre.php 2017-12-20
URL http://u0418693.cp.regruhosting.ru/name/Masky/fre.php 2017-12-20
URL http://u0424064.cp.regruhosting.ru/ADMIN/IK/fre.php 2017-12-20
URL http://u0431828.cp.regruhosting.ru/ADMIN/Bobokay/fre.php 2017-12-20
URL http://u0431828.cp.regruhosting.ru/ADMIN/Charles/fre.php 2017-12-20
URL http://u0431828.cp.regruhosting.ru/WP-Content/Ben/fre.php 2017-12-20
URL http://u0432678.cp.regruhosting.ru/DECEMBER/iyke//fre.php 2017-12-20
URL http://u0437697.cp.regruhosting.ru/Admin/iyke/fre.php 2017-12-20
URL http://wellmaxlimiteds.com/en/max/fre.php 2017-12-20
URL http://weneedcheese898.com/wp/wp1/pr/j/fre.php 2017-12-20
URL http://youthwinger.com/let/Panel/five/fre.php 2017-12-20
URL http://yupservice.ru/five/fre.php 2017-12-20
URL http://zeroci.club/boss/fre.php 2017-12-20
URL https://burkino51.000webhostapp.com/Panel/five/fre.php 2017-12-20
URL https://impoexpoboton.com/images/Panel/five2/fre.php 2017-12-20
URL https://jibnd.com/wp/wp-ups/wp_config/wp-files/fre.php 2017-12-20
URL https://master-patent.ru/filesthrogh/Panel/five/fre.php 2017-12-20
URL https://mnbvcxz.biz/oj/five/fre.php 2017-12-20
URL https://mnbvcxz.biz/pc/five/fre.php 2017-12-20
URL https://salesxpert.biz/marley/five/fre.php 2017-12-20
URL https://satriafbs.com/eby/wp-admin/Panel/five2/fre.php 2017-12-20
URL https://supertroit.xyz/dbwork/fre.php 2017-12-20
URL https://tacro.eu/wp/wpmf/fre.php 2017-12-20
URL http://logzbox.info/admin1/Panel/five/fre.php 2017-12-20
CVE CVE-2017-11882 2017-12-20
References (2)
↗ https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-deliver-a-cracked-version-of-the-loki-infostealer.pdf ↗ http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-11882-exploited-deliver-cracked-version-loki-infostealer/